In the past decade or so, many organizations have incorporated network connectivity into their industrial control systems (ICSs) to boost productivity and take advantages of capabilities such as remote access for support. While there are many benefits to bringing connectivity to ICS assets, there are also numerous risks if proper cybersecurity precautions are not taken. ACE thoroughly understands these cybersecurity risks and is excited to be a part of a select group of companies participating in a workgroup hosted by the Organization of Machine Automation and Control (OMAC) focused on developing best practices to secure remote access from cyberattacks.
As an ICS professional, you may be familiar with OMAC from their work developing PackML, an industry standard focused on bringing operational consistency to all machines that make up a packing line. Now, OMAC is using their expertise and working with ei3 to perform the essential task of bringing automation vendors, equipment OEMs, system integrators, and ICS end users together to develop best practices for addressing the security challenges around remote access.
Facilitating collaboration between these different groups is essential because executing remote access cannot be safe and effective without involvement from all these parties. Vendors provide the technologies system integrators, OEMs, and end-users depend on to create secure solutions. System integrators and OEMs have the expert knowledge required to support an end-user’s systems through remote access solutions, while the end-users ultimately provide the infrastructure for remote access and, therefore, own the cybersecurity risk. As a result, OMAC felt it was crucial for all these parties to have a platform to discuss the common threats and challenges around remote access cybersecurity and to work together to establish best practices the entire industry could benefit from.
Our Take on the 2021 OMAC Remote Access Workgroup
The main goal of the 2021 remote access workgroup was to expand on OMAC’s 2020 workgroup that developed the “Practical Guide for Remote Access to Plant Equipment.” This document provides an excellent overview of how to identify the necessary participants for establishing remote access, how to develop a remote access plan, and how to foster collaboration between IT and OT within an organization in the setup of remote access. The goal of this second workgroup was to focus specifically on the cybersecurity concerns of remote access and to provide best practices for the following methods for remote access:
- Direct VPN
- Converged Network
- Cell Modem Access
- Black Box
- External Managed Secure Network
Consideration was also given to on-site technician access and how it compares to these remote access methods, and how it is sometimes just a “backdoor” to one of the above.
We were excited to have the opportunity to participate in this workgroup because we felt we could bring valuable insight on how to address the technical and organizational challenges involved in creating secure remote access solutions based on our networking and automation expertise.
Below is a summary of the ground covered during the four workgroup sessions in which we participated:
- Defining the threat vector – A discussion about the motivations of those who initiate an attack on a remote access point and the technologies they use. We also talked about common internal activities that could occur inadvertently and pose a security risk due to a lack of guardrails being in place.
- Assessing external network connections – An assessment of the vulnerabilities created by making the initial external connection and the actual risks posed by those vulnerabilities versus the operational benefits. Fruitful discussion was had around how the different perspectives of stakeholders leads to different perceptions of the risks and benefits.
- Navigating and connecting through internal OT Networks – A discussion on how remote access fits into the overall OT network landscape and the methods for restricting access to different functions and/or components within the network to certain people based on need and a definition of privileged functions.
- Balancing security with operational performance and business requirements – Since remote access is just one small part of the broader cybersecurity program, we discussed the types of broader cybersecurity policies needed to create effective protections and risk mitigation for OT assets being served by remote access capabilities. We also talked about best practices for coordinating with all the internal stakeholders for OT networks including the end user, business unit owners, and IT, and how to define each party’s responsibilities regarding remote access.
Laying the Foundation for Secure Remote Access
Remote access for ICSs is just one component of the OT network, but it is now an expected function for maintaining uptime and throughput for many systems. Because remote access presents a pathway from the Internet and external networks, keeping it secure is a critical component of the overall ICS cybersecurity landscape. With high-profile cyber attacks becoming more common, such against the Oldsmar water treatment plant in Florida in February 2021, there is more pressure on industrial plant operators to thoroughly review their policies and procedures around remote access. The work being done through the participants in these OMAC groups is crucial because it will provide organizations with a critical foundation for defining how remote access should be established and monitored to maintain the safety and security of their ICS equipment.
Improved Safety and Production Performance through Better Alarm Management
Ever misplace something important? Ever have too many important things on your to-do list and can’t...
Applied Control Engineering Named 2021 System Integrator of the Year
We are excited to share that this week, ACE was recognized as the 2021 CFE Media System Integrator...
Five Ways to Get the Most Out of Your Control System Modernization Plan
Alarm alerts are flashing across you operator’s screen as the production line comes to a halt for...